Array
(
    [content] => 
    [params] => Array
        (
            [0] => /forum/index.php?threads/demystifying-cyber-security-myths-vs-realities-perspective-event-summary.629/
        )

    [addOns] => Array
        (
            [DL6/MLTP] => 13
            [Hampel/TimeZoneDebug] => 1000070
            [SV/ChangePostDate] => 2010200
            [SemiWiki/Newsletter] => 1000010
            [SemiWiki/WPMenu] => 1000010
            [SemiWiki/XPressExtend] => 1000010
            [ThemeHouse/XLink] => 1000970
            [ThemeHouse/XPress] => 1010570
            [XF] => 2021370
            [XFI] => 1050270
        )

    [wordpress] => /var/www/html
)

'Demystifying Cyber Security - Myths vs Realities' Perspective/Event Summary

C

Camille Kokozaki

Guest
View attachment 983 I attended tonight an event planned, organized, and presented by IEEE Communications Society of Santa Clara Valley (ComSocSCV) and co-sponsored by IEEE Computer Society of Silicon Valley which consisted of a presentation by Ed Talbot & Tom Kroeger from Sandia National Laboratories (Livermore) entitled Demystifying Cyber security - Myths vs Realities. It highlighted some commonly perceived criteria of goodness for security that are in fact myths. The most common myths were (it seems there were many, and the speakers had 14 at last count, and I am somewhat paraphrasing):

- The more layers of defense, the better.
- Burdensome security is better security (like strong passwords).
- Security exists because the user runs their executables on their data using their own system that they control.

Counterexamples were provided with an interesting set of cases/graphics/pictures that illustrated the fallacies, pitfalls and risks of the false sense of security (pun intended) of believing in those precepts. They highlighted the reality of countermeasures being invariably defensive and asymmetric (as in defensive measures must defend against every possible exploit whereas attacks need to only find one unprotected vulnerability). With vulnerabilities due to various implementations being limitless and with threats exploiting vulnerabilities faster than they can be detected, the presenters stated that we are reaching the point where more needs to be done to address this issue comprehensively with formal quantitative assertions, new creative approaches and fool proof methods rather than reactive trial and error rules-of-thumb.

Without getting into more details of the presentation (which will be made available here if and when it gets posted), the talk was interesting and was sprinkled with actual cases, quotes, analogies, bon-mots and thoughtful observations. An animated discussion ensued with skeptical statements pointing to 'these were issues known in the seventies' and 'you will always have the social engineering and insiders defeating any security measure' angles. One attendee pointed out that one of the Wikileaks consequence was making data useless (to hackers/users alike) by the mere fact of being revealed. Good point.

I managed to throw in what I termed a 'radical' suggestion to address the issue. I posited that if we start declaring any computer device that has a virus on it a defective device subject to return, the computer industry will quickly find ways to solve this issue in a major way (even if 80% of problem cases are fixed, this is a good thing) and instead of having a cottage industry selling anti-virus software to consumers, they can better serve the public if they focus on helping the computer industry build better immune hardware or operating systems, so we pay an extra $50 for that extra hardware, I can live with that. Come to think of it this may be why McAfee was bought by Intel. I also happen to resent having to continually pay to fix things that should work by definition. Would you pay yearly to have every appliance (as in microwave, washer-dryer) you own remain immune to threats?

I also think that we need to quit trying to protect everything, but instead we should prioritize the mission critical threats/problems and work vey hard on protecting those. Some problems are inherently entropic and are disruptive by definition and we cannot make them behave. This reminds me of Deming's advice of managing quality with a built-in steady state run-rate as opposed to fitting every peg in every slot in a production line because you will never get there. But I digress and I probably overdid the analogy thing.

What do you think? Is this a solvable problem? Are things out of control?

As always, all errors of transcriptions are mine and if anyone attended, feel free to chime in, opine, correct, point out omissions, counterpoint and all that.


<script type="text/javascript" src="http://platform.linkedin.com/in.js"></script><script type="in/share"></script>
 
Last edited by a moderator:
Even the department of defence in the US reckons that the only strong enough security measure is to create what they call an "air-gap" which is to say don't connect their computers to external networks at all. That broke down when USB keys introduced viruses so those got banned too, causing a lot of problems since there are devices, for example, on coastguard ships that don't have CD-ROM and so have no other way to upload dynamic data. And that, of course, is the tradeoff. You can have stronger security by significantly reducing usefulness.

Just like as a society we can have a police state (and maybe less risk, but maybe not: how many terrorists have the TSA caught for our billions of dollars. that would be none) or we can have an open society (and maybe more risk, but maybe not: how many terrorists have citizens disarmed on planes. that would be at least a couple more than the TSA have caught).
 
Thank you Camille, it was nice seeing you again. The thing that struck me about the meeting was the average age of the attendee. I looked quite young in comparison! Your "radical" suggestion was the only one that made sense, absolutely. I always wondered if the anti virus companies created the virus threats themselves to increase valuation. The other comment that struck me was the "insecurity" can be at the wafer level, meaning that a semiconductor device can have a back door, and I will certainly never trust and FPGA again!

I left the meeting with the feeling that nothing on your computer is safe. If a hacker really wants it it is theirs for the taking. The only hope I see is the cloud where your data is mixed into others and distributed amongst many clouds creating a high enough level of signal to noise to discourage targeting.

One measure I took immediately is taking my name off of my wireless router. My home network is now named after a router manufacture, not the brand I use of course!

Thank you again for the post. Keep posting and win an iPad2!
 
Thanks Dan. It was good to see you as well. I gave up a long time ago believing that anything is safe. When context-aware ads pop up vaguely related to the topic you are addressing in an email, and when geo-location can be pinpointed with your smart phone, you have to wonder is anything beyond cyber reach? I joke that my systems are so secure that even I cannot login in sometime. It is definitely true that the cloud will allow you more security by breaking up files into bytes stored separately on separate drives to reduce the usefulness of unauthorized access to data. The Cloud crowd has also figured out ways to insert security at every step from the physical layer all the way to the application layer. One good suggestion mentioned in the talk was some professor stating that perfect security can only be achieved with perfect anonymity, non persistence of data (meaning erasing things routinely everywhere) and end-point sender receiver secure connections.
Thank you Camille, it was nice seeing you again. The thing that struck me about the meeting was the average age of the attendee. I looked quite young in comparison! Your "radical" suggestion was the only one that made sense, absolutely. I always wondered if the anti virus companies created the virus threats themselves to increase valuation. The other comment that struck me was the "insecurity" can be at the wafer level, meaning that a semiconductor device can have a back door, and I will certainly never trust and FPGA again!

I left the meeting with the feeling that nothing on your computer is safe. If a hacker really wants it it is theirs for the taking. The only hope I see is the cloud where your data is mixed into others and distributed amongst many clouds creating a high enough level of signal to noise to discourage targeting.

One measure I took immediately is taking my name off of my wireless router. My home network is now named after a router manufacture, not the brand I use of course!

Thank you again for the post. Keep posting and win an iPad2!
 
Thanks for attending last night event and writing a blog!

View attachment 983 I attended tonight an IEEE Computer Society of Silicon Valley sponsored event which consisted of a presentation by Ed Talbot & Tom Kroeger from Sandia National Laboratories (Livermore) entitled Demystifying Cyber security - Myths vs Realities. It highlighted some commonly perceived criteria of goodness for security that are in fact myths. The most common myths were (it seems there were many, and the speakers had 14 at last count, and I am somewhat paraphrasing):

- The more layers of defense, the better.
- Burdensome security is better security (like strong passwords).
- Security exists because the user runs their executables on their data using their own system that they control.

Counterexamples were provided with an interesting set of cases/graphics/pictures that illustrated the fallacies, pitfalls and risks of the false sense of security (pun intended) of believing in those precepts. They highlighted the reality of countermeasures being invariably defensive and asymmetric (as in defensive measures must defend against every possible exploit whereas attacks need to only find one unprotected vulnerability). With vulnerabilities due to various implementations being limitless and with threats exploiting vulnerabilities faster than they can be detected, the presenters stated that we are reaching the point where more needs to be done to address this issue comprehensively with formal quantitative assertions, new creative approaches and fool proof methods rather than reactive trial and error rules-of-thumb.

Without getting into more details of the presentation (which will be made available here if and when it gets posted), the talk was interesting and was sprinkled with actual cases, quotes, analogies, bon-mots and thoughtful observations. An animated discussion ensued with skeptical statements pointing to 'these were issues known in the seventies' and 'you will always have the social engineering and insiders defeating any security measure' angles. One attendee pointed out that one of the Wikileaks consequence was making data useless (to hackers/users alike) by the mere fact of being revealed. Good point.

I managed to throw in what I termed a 'radical' suggestion to address the issue. I posited that if we start declaring any computer device that has a virus on it a defective device subject to return, the computer industry will quickly find ways to solve this issue in a major way (even if 80% of problem cases are fixed, this is a good thing) and instead of having a cottage industry selling anti-virus software to consumers, they can better serve the public if they focus on helping the computer industry build better immune hardware or operating systems, so we pay an extra $50 for that extra hardware, I can live with that. Come to think of it this may be why McAfee was bought by Intel. I also happen to resent having to continually pay to fix things that should work by definition. Would you pay yearly to have every appliance (as in microwave, washer-dryer) you own remain immune to threats?

I also think that we need to quit trying to protect everything, but instead we should prioritize the mission critical threats/problems and work vey hard on protecting those. Some problems are inherently entropic and are disruptive by definition and we cannot make them behave. This reminds me of Deming's advice of managing quality with a built-in steady state run-rate as opposed to fitting every peg in every slot in a production line because you will never get there. But I digress and I probably overdid the analogy thing.

What do you think? Is this a solvable problem? Are things out of control?

As always, all errors of transcriptions are mine and if anyone attended, feel free to chime in, opine, correct, point out omissions, counterpoint and all that.
Thanks for attending our last night event and writing a blog about it! We really appreciate it. Please check out our another blockbuster event on May 11 with 2 VP of BroadCom and Qualcomm debating the evolution of LTE from a semiconductor prespective. Check the details on www.comsocscv.org
Looking forward to saying hello to you again!
Thanks,
Affif Siddique
CMO - IEEE Comsoc-SCV
 
Thanks Alan for the attribution correction. My bad. I fixed in the original posting.

Affif and Alan: This was a great event and The May 11 session sounds pretty good. Keep 'em coming and thanks for hosting them.
 
Last edited by a moderator:
Another problem that the cloud will solve? Because the data is stored in multiple locations? My expectation is that any relief provided by the cloud will be brief, but that users will be heavily committed by the time the major problems surface.

The problems as I see them can roughly be categorised as spying and loss-of-service. I don't know the failure modes for the cloud itself (doubtless anything I can think of at this stage will have been addressed) but given that the data needs to be assembled and delivered there will doubtless be potential. and Even while the cloud itself remains secure there will be vulnerabilities at the point of access - unless and until the only link to every user is a single hardware-verified link to the cloud. (BTW, Daniel, thank you for handing me the new key to your router - I'll remember if I'm ever at the end of your street and need data access.)

One thing I definitely agree is that a single effective security system beats multiple ones: this was brought home to me when, following 9/11, in a single airport I was searched at five consecutive locations - and none of them addressed either shoes or _____
 
It is much more than that. One problem is potential Trojan horses residing in 3rd party IP blocks or introduced in the manufacturing stage in an unsecured foundry. Other problem is tampering to extract critical data. Reverse engineering and counterfeiting are related problems. NY Times reported about fake Cisco routers penetrating defense companies and critical infrastructures. The semiconductor industry is losing about $200 billion per year because of counterfeiting.
Posted by Miron Abramovici
 
Back
Top